Mozilla to pull antiphishing feature from Firefox 2.0 at Google's request

Computerworld - Mozilla Corp. will drop antiphishing protection from the final version of Firefox 2.0 at Google Inc.'s request when Mozilla updates the browser later this month, a company executive confirmed today.

When Mozilla rolls out Firefox 2.0.0.19, the browser will be missing the antiphishing feature that the aging browser has sported since it debuted in 2006, said Mike Beltzner, director of Firefox, in an e-mail today.

"The latest published update for Firefox 2, which is Version 2.0.0.18, has the Phishing Protection feature enabled and working," Beltzner said. "However, the next planned update for Firefox 2, Version 2.0.0.19, will be required to disable this feature."

Firefox 2.0.0.19, which will be the last security update for the browser before Mozilla discontinues support, is currently slated to ship on Dec. 16, according to notes from a status meeting earlier this week. Mozilla's policy is to support a browser for six months after it has been superseded by a new version. The company unveiled Firefox 3.0 in mid-June.

Dubbed "Phishing Protection" by Mozilla, the feature warns users when they attempt to reach a site suspected of hosting identity theft scams. The list of blocked sites is generated by Google, the search company that provided 88% of Mozilla's revenue during 2007.

Beltzner said Google asked Mozilla to disable the feature in Firefox 2.0.0.19 because the older browser line uses an obsolete protocol.

"The Phishing Protection feature in Firefox 2 relies on data provided by Google via the first version of the SafeBrowsing protocol," said Beltzner, who explained that Google and Mozilla had worked together to update the protocol, first to SafeBrowsing v2.1 late last year, and more recently, to SafeBrowsing v2.2.

Firefox 3.0 has relied on SafeBrowsing v2.1 since its release several months ago, but is transitioning to v2.2 this month for its antiphishing and anti-malware features, both which ping Google's servers for blacklists.

"Now that Firefox 2 is reaching the end of its support life span, we have been asked to turn this feature off as Google will no longer be supporting requests using the obsolete SafeBrowsing v1 protocol," said Beltzner.

Users who download Firefox 2.0.0.19, or update to that version later this month, will be told that the feature has been switched off, Beltzner said.

Firefox 3.0, which is currently at 3.0.4 and scheduled to update to 3.0.5 at the same time Mozilla ships the final Firefox 2.0 update, will continue to offer antiphishing protection. Users of the older browser can update to the newer line by downloading Firefox 3.0, or accepting the automatic upgrade offer that will begin reaching them today.

Beltzner said that Mozilla won't offer any antiphishing work-arounds for Firefox 2.0.0.19 users who want to keep using the older browser, but noted that there are similar tools available elsewhere. Alternatives to Firefox's built-in protection include the Netcraft Toolbar, WOT (Web of Trust) and FirePhish extensions, which can be downloaded from Mozilla's add-on site.

Read more about security in Computerworld's Security Knowledge Center.